2019 saw a number of ransomware threats that crippled individual computers as well as entire organizations. One such ransomware that hit the headlines is the PureLocker ransomware. It is a malware capable of attacking both Windows and Linux-based production servers and enterprises.
The PureLocker ransomware is so called because its code is written in the PureBasic programming language. This gives it several advantages over other ransomware families. First, PureBasic is not all that common, which means that many anti-malware solutions are not up to the task when it comes to dealing with the threat that it poses. In other words, many antivirus programs are limited when it comes to detecting signatures from the PureBasic binaries.
Although novel in many ways, the PureLocker ransomware still uses some code from known ransomware families such as the “more_eggs” ransomware family. More_eggs is sold as a malware-as-a-service (MaaS) on the dark web, meaning that the attacks by PureLocker are tied to underworld criminal groups such as the Cobalt Group and the FIN6 gang.
What the PureLocker Malware Does
We have already established that the PureLocker ransomware is a bit different from other malware, but how does it operate exactly? The ransomware is known to evade user-mode API hooking of NTDLL functions by loading a copy of “ntdll.dll” and resolving API addresses from there. This evasion trick makes it hard for antivirus programs to counter the malware as API hooking is what antivirus programs use to see the exact functions that are called by a malware or any other software for that matter.
The malware also issues instructions to install PureLocker components to a command line utility in Windows called regrsrv32.exe. It does this without raising any dialogues. Upon execution by regrsrv32.exe, the malware verifies the year, and that confirms its file extension as .DLL or .OCX. It also confirms whether the user of the computer has administrator rights. If any of these verification fails, the malware will quietly exit the infected computer as if nothing had happened, but if it turns out that everything is okay, then the target’s computer files will be encrypted with the standard AES+ RSA encryption combination. A .CRI extension is added for every encrypted file. Shadow files or Windows backups are deleted during the infection process so that you have no way of ever recovering your files.
The last unusual thing about the PureLocker ransomware is that rather than display a readme.txt that tells users where to send ransom money, it issues an anonymous and encrypted email address that links the attackers with the victims. If they come to an agreement, an offer to decrypt the files is made.
How to Remove the PureLocker Ransomware from Your Computer
PureLocker is a unique malware in many ways, and it can stay hidden on a computer without detection for a really long time. So, the options of removing the malware are limited to a few. But no matter how desperate you are, you should never consider paying ransom to the criminals behind the malware. For one, it will only make you a target next time as your willingness to pay is the only thing that keeps cybercriminals motivated. Also, you should consider the possibility that the malware creators are not going to live up to their promise to decrypt your files upon receiving the ransom because think about it, what can possibly happen if they fail to honor their end of the bargain? Sadly, nothing.
So, what can you do to free your computer from the PureLocker ransomware if paying ransom is not an option? We suggest that you run your computer on Safe Mode with Networking. This will give you access to network resources that you can subsequently use to download a powerful anti-malware solution such as Outbyte Antivirus.
The antivirus will remove PureLocker ransomware and all its malicious components.
To boot into Safe Mode with Networking on Windows 7/ Vista or Windows XP, take the following steps:
- Go to Start > Shutdown > Restart > OK.
- When your computer restarts, press F8 multiple times until the Advanced Boot Options menu appears.
- Select Safe Mode with Networking by pressing the F5 key.
Safe Mode with Networking on Windows 8 and 10:
- Hold the power button for about 10 seconds to turn off your computer.
- Press the power button again, this time to turn the device on.
- Perform the steps above repeatedly until your devices enters the Windows Recovery Environment (winRE).
- On the Choose an Option screen that appears, select Troubleshoot > Advanced Options > Startup Settings > Restart.
- After your computer restarts, you will see a list of options. Use the arrow keys to select Safe Mode with Networking.
If the Safe Mode with Networking option fails to remove the PureLocker ransomware, then you can repeat the above steps. But this time, instead of choosing Startup Settings, select System Restore.
System Restore is a Windows recovery process that allows you to revert changes to settings and apps on your computer. You can use it to remove apps and software that is problematic.
If the PureLocker malware has hit your Mac, you can use Time Machine to recover some of your files, settings, and apps. But just like is the case with System Restore, the Time Machine backup has to be available prior to any infection.
If all else fails, and this applies to your Mac too, consider installing a fresh version of the OS.
Protecting your computer from infection should be the most important task that you undertake. Here are some few tips to prevent malware such as the PureLocker from ever infecting your organization.
Update all your systems
It is unfortunate that some organizations still run old Windows versions such as Windows XP that no longer receive any official protection from Microsoft. Windows XP was once a great product, but the world has since moved on, and sticking to it only increases the chances that one of its many vulnerabilities is going to be used against you.
Install an anti-malware
Do you have a premium anti-malware solution on your computer? If not, you should have one and while at it, you should also consider installing a PC repair tool such as Outbyte PC Repair. This tool will constantly scan the health of your PC. It will also clean your storage spaces, help repair broken or corrupt registry entries, and optimize the performance of the RAM.
Create a backup of your files
You should have a physical disk where you store some of your most important files in case a nasty surprise such as the PureLocker malware strikes your systems. Without the threat of losing your files, a ransomware attack will be like every other day in the office.